The term ‘digital transformation’ has different connotations for different people. For some, digital transformation is about using artificial intelligence to improve customer experience while for others, it could be about using cloud technology and analytics software to optimise their logistics processes. In a nutshell, digital transformation represents how businesses innovate their processes through technology.
Interest surrounding this subject has increased rapidly in recent years. Google trends data shows a steady rise in UK searches for ‘digital transformation’ since 2014, indicating that technological innovation has increasingly become a priority for business owners to consider.
This graph reflects recent reports of investment in digital transformation being on the rise. A recent report by Deloitte found that the average budget for medium-sized businesses to invest in digital transformation increased by 25% in the last year alone. Likewise, a report ‘The State of Digital Transformation’ found that growth opportunities (51%) and increased competitive pressure (41%) are the primary reasons for businesses investing in digital transformation.
Despite this growing enthusiasm, there still remains a level of uncertainty, especially among smaller businesses. Last year’s implementation of GDPR legislation now means that businesses are required to map their data flows, assess the risks in their data processing activities and identify where controls must be implemented. Innovation therefore now carries a greater risk of sensitive data becoming lost, or even worse, stolen. With the maximum fine for non-compliance standing at €20 million or 4% of annual turnover, the consequences of making mistakes are too great to be ignored.
When the specific requirements of GDPR were originally announced and Privacy by Design was, for the first time, to be made a legal requirement for IT projects, it was feared that hundreds of digital transformation projects – many of which had been scoped and designed months, if not years previously – would become derailed. Or worse, would reach an indefinite impasse. After all, retrospective Privacy by Design is often impossible, but stopping the project and re-starting from the ground up is typically out of the question.
If digital transformation aims for the freeing of as much data and accurate context as possible around the business, and data privacy looks to ensure confidentiality and pseudonymisation, how can the two co-exist?
Keep the project focused
A prerequisite to successfully implementing digital transformation is keeping your business goals specific and achievable. Businesses far too often overstretch themselves by making bold plans, only to fall short and risk not only their reputation but their sensitive data.
We once worked with a major European retailer who wanted to design a more optimal working environment using technology. By tracking their staff’s use of physical and digital resources, they wanted to find areas of the business that were not performing to maximum efficiency and rectify the issue.
Moreover, they wanted to integrate this data with employee HR records, looking at usage report and access card data alongside employee attendance and performance metrics to identify which employees were underperforming and which deserved promotions. The idea worked on paper, as it removed the risk of subconscious bias that may have been present in performance reviews.
However, the company failed to make the wider team aware of the proposed structure and had not made their individual privacy rights even a consideration during the design phase. Employees were subject to an automated decision-making process, without any form of awareness or thus consent, which directly contradicts GDPR. As a result of this, the project had to be entirely rethought, creating both financial and reputational costs.
The technical infrastructure was secure and the workflows and machine learning in place were admirable, but the company attempted to make changes that were too far-reaching and were not communicated with the privacy team.
Make privacy a priority from the beginning
To avoid potentially damaging data breaches, companies should make the security of their company data a priority from the beginning. In attempting to make widespread changes to a business’ operations, effective security precautions are too often left to be dealt with later, causing sometimes serious issues down the line.
We once worked with an international medical organisation which produces devices for the healthcare industry. The developer team used an IoT technology to monitor the use of every device they created with the aim of using the data for product development and maintenance.
Being a company that collected healthcare data, the need to keep private information secure was even more important. Last year’s GDPR legislation places special importance on healthcare data and therefore outlines additional rules with regard to its storage and use. Nevertheless, at no point were either the patients, healthcare professionals or indeed the wider business beyond the developer team made aware that their data was being collected and used in this way.
Any company looking to undertake a similar initiative should decide on a set of project oversight practices at the start to ensure that the project is vetted by a privacy or legal expert before it proceeds further. Documentation recording and governing the data’s collection, storage and use must also be produced.
In the case outlined above, none of these steps were followed and it was only once the legal team had begun their GDPR preparations and company-wide audit of data use that they discovered this activity. The project was immediately halted and led to product development delays, unhappy investors and extra costs to re-launching a similar project without data issues.
Despite its potential pitfalls, digital transformation remains an extremely exciting venture for businesses of all shapes and sizes. The prospect of leveraging cutting-edge technology to accelerate their business’ processes and thereby making themselves more competitive is certainly attractive. However, data privacy should always be a foundation of any digital transformation project, as without it, the whole house will start to fall.
A consideration businesses should make is hiring Privacy Architects to assess their objectives and the privacy legislation that they will have to comply with. Privacy Architects are experts in both privacy and technology, a rare yet essential combination of expertise. Without knowledge of privacy law, technology projects can create new risks for a business. The wider effects of which go far beyond penalties and fines, but instead to the heart of whether customers can trust you.